http://www.fcw.com/online/news/151398-1.html
By Susan M. Menke
FCW.com
January 22, 2008
Inspector General Gregory Friedman hopes to lock down security on the
Energy Department's interconnected computer networks, after auditors
called 132 security breaches serious enough to report to law enforcement
in fiscal 2006 22 percent more than in the prior year.
The department's 69 organizations support as many as eight separate
intrusion and analysis groups, which do not use a common
incident-reporting format and do not always retain crucial information
about cyberattacks, the IG said in a report [1] released today. Some
sites opt out of monitoring their networks or even disable the sensor
equipment.
Energy has found such cyber weaknesses before but "does not specifically
require that incidents be reported to law enforcement or
counterintelligence officials," the report said. The IG recommends:
* Developing and implementing an enterprisewide cyber incident
management strategy
* Taking a consistent approach to developing or revising policies
across all Energy organizations.
* Finding a way to periodically test and evaluate the department's
overall performance in cybersecurity incidents.
The Office of the Chief Information Officer's Computer Incident Advisory
Capability has been watching cybersecurity and providing computer
forensics services to the department since 1989, at a cost of $6.8
million in fiscal 2006, the IG report said. Nevertheless, other groups,
such as the National Nuclear Security Administration's Information
Assurance Response Center and smaller organizations at various Energy
sites, compete with CIAC for authority and funding.
The CIO in 2006 called for "an integrated approach to management of
cyber incidents." The department's most recent guidance, however, does
not cover communications and coordination in "Incident Management
Guidance," known as CS-9. A draft replacement known as "Technical and
Management Requirement 9" does not address the duplication of security
efforts, the IG said. Plans to revitalize policies within 60 days of the
February 2006 acceptance of a similar report have yet to be approved.
The IG report said it took 10 months to learn that a hacker had stolen
the names and Social Security numbers of 1,500 Energy employees from an
NNSA site in 2005. Seven of 11 field sites audited, three federal and
eight contractor-operated, have not identified which of their systems
store such personal information or evaluated the risks of exposing it.
Energy's CIO will now draft a formal departmental cybersecurity strategy
by March 31, according to the report.
[1] http://www.ig.energy.gov/documents/IG-0787.pdf
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn